A critical vulnerability has been identified in multiple BacklinkSpeed products, designated CVE-2020-36997. This flaw allows an attacker to take complete control of the application by tricking a user into opening a specially crafted file. Successful exploitation could lead to arbitrary code execution, enabling data theft, malware installation, and further network intrusion.

The vulnerability is a stack-based buffer overflow that occurs during the file import process. An attacker can create a malicious file with an oversized data field that, when parsed by the application, overwrites the program's execution stack. This overwrite specifically targets the Structured Exception Handler (SEH) chain, a Windows mechanism for handling program errors. By replacing a legitimate SEH address with a pointer to their own malicious code (shellcode), the attacker can hijack the program's control flow and execute arbitrary commands with the permissions of the user running the application.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the high potential for significant damage. An attacker who successfully exploits this flaw can gain full control over the affected application, leading to a complete compromise of the underlying system. Potential consequences include the theft of sensitive business data processed by the application, installation of ransomware or spyware, and using the compromised machine as a launchpad for further attacks against the internal network. The low complexity of the attack, requiring only user interaction to open a file, increases the risk of successful exploitation.

Immediate Action: The primary remediation is to apply the vendor-supplied security patches.

• Immediately update all instances of BacklinkSpeed Multiple Products to the latest version.
• Consult the official vendor security advisory for specific patch information and detailed instructions.
• Begin monitoring for signs of exploitation, such as unexpected application crashes or suspicious file imports, and review historical access logs for potential prior compromises.

Proactive Monitoring:

• Monitor system and application logs for crashes related to the BacklinkSpeed application, as these could indicate failed exploitation attempts.
• Use network monitoring tools to detect any unusual outbound connections from workstations running the software, which could signal a successful compromise.
• Implement file integrity monitoring on directories where the application stores its data to detect the presence of malicious files.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Enforce a strict policy against opening files from untrusted or unknown sources.
• Utilize Endpoint Detection and Response (EDR) solutions capable of detecting and blocking memory corruption techniques like SEH overwrites.
• Ensure modern exploit mitigations like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) are enabled and enforced system-wide.
• Restrict the application's permissions to the absolute minimum required for it to function.

Public Exploit Available: True

Given the critical CVSS score of 9.8 and the public availability of exploit code, this vulnerability poses a severe and immediate risk to the organization. We strongly recommend that all affected BacklinkSpeed products be patched immediately. This vulnerability should be prioritized with the highest urgency. A comprehensive asset inventory should be conducted to identify all systems running the vulnerable software, and the remediation plan should be executed without delay to prevent potential system compromise.